Spotlight on Lightify!

We already tested the Philips Hue as well as the IKEA TRADFRI Lighting system. Now, let’s see, if the third big player in the “league of light” will beat them. Osram Lightify (aka Sylvania Smart+) also comes with a Gateway as well as several bulbs, garden lights and so on.

Initial setup / Device pairing

In contrast to Hue and TRADFRI, Lightify users have to create an Osram Lightify account in order to use their solution. The initial setup of the Gateway doesn’t pair it with the App – it is being paired with the Osram Lightify account. Pairing of additional phones also only requires the Lightify account to login. For pairing additional lights, they only have to be switched on. The device search can be initiated by the App.

Application

For our app analysis, we downloaded and installed “Lightify” from the Google Play Store (https://play.google.com/store/apps/details?id=com.osram.lightify). As with the other tested smart home lighting systems in this blog, we would have been pleased if we had an overview of the registered devices in the app. The decompiled source code of the app is partially obfuscated: The class names all look like they had their original names, but all methods were obfuscated. The app does not implement security features like certificate pinning. The storage of the users shared preferences (like password and username) is also pseudo secure at max. Although the xml files are located in the private app storage (and cannot be accessed by other apps per default), mobile malware might root your smartphone and read the settings. The decryption is fairly easy as Osram uses a “Crypto” implementation from Arrayent (see later). This code however just uses a basic password based encryption with DES and could be easily reconstructed, as seen in the following image.

Reconstructed decryption tool for the Osram App

Online communication

For the online communication, Osram uses the Arrayent Connect platform. The whole communication via this platform is encrypted. QUIC is being used – an experimental protocol which is based on UDP and TLS1.3-encrypted per default.

Online communication via QUIC

Also, we tested Osram’s Lightify-Skill for the Amazon Echo. The registration process isn’t really comfortable: Not only the Lightify login is required – also the serial number of the Lightify Gateway. The communication between Alexa and the Lightify Gateway is identically to the App’s Cloud communication and therefore also secure.

Local communication

Like Philips Hue, the Lightify Gateway communicates completely unencrypted locally, but via a binary protocol. Details about the used protocol can be found here.

Local communication in binary format

Via port 4000/TCP, a service is waiting for commands by the App. We wonder, why Osram didn’t implement any authentication for the local access – the Python plugin python-lightify let us control the lights without logging in.

Privacy

An Osram Lightify Account is mandatory for using their App. The registration process requires pleasingly little information: E-Mail address and password. When registering, information about the device, on which the App is installed, public IP address, version and configuration of Lightify devices is being uploaded to Osram. Recorded data is being used for maintaining and improving the Application services. (and marketing purposes, if activated in the App’s settings) Also, a tracker is integrated in the App, which collects pseudonymized additional data, but it also can be disabled in the App’s settings. The privacy policy also informs about data processing outside the EU (Switzerland and USA) and about the contact address for privacy concerns (CDPO of Osram Germany).

The permissions of the Android App are limited to the necessary scope. Also, their purpose is clearly described in the privacy policy.

Camera (optional, scanning the Lightify Gateway’s QR code)

Location (optional, enabling the geofencing feature, not being saved in the Cloud)

Wi-Fi (required to communicate with the Gateway)

App permissions

Conclusion

Lightify is the Smart Lighting solution of the multinational lighting manufacturer Osram. In difference to its competitors, an account is needed to control the lights. Therefore, secure remote controlling is available without any additional configuration. Communication in the local network is completely unencrypted, which (like mentioned in our Philips Hue test) should be a No-go these days. Once, Osram improved their solution at this point, the rating will also improve to three stars.